What Is a Field CISO?

By
David Spark
-
Portrait of a bearded unsatisfied disgusted man in shirt looking at eyeglasses isolated on the black wooden background

We’re increasingly seeing the industry fill up with Field CISOs. Why is the CISO out in the field? What does that role entail?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is Bil Harmer, operating partner and CISO, Craft Ventures.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Cyera

Cyera’s AI-powered data security platform gives companies visibility over their sensitive data, context over the risk it represents, and actionable, prioritized remediation guidance.
 As a cloud-native, agentless platform, Cyera provides holistic data security coverage across SaaS, PaaS, IaaS and On-premise environments. Visit www.cyera.io to learn more.

Full Transcript

Intro

[David Spark]  We’re increasingly seeing the industry fill up with field CISOs. Why is a CISO out in the field? What does that role actually entail?

[Voiceover]  You’re listening to Defense in Depth.

[David Spark]  Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series and joining me for this very episode, it’s the one and only Geoff Belknap. Geoff, say hello to the nice friendly audience.

[Geoff Belknap]  Hello, nice friendly audience. Thanks for coming again.

[David Spark]  Our sponsor for today’s episode is Cyera. Holistic data security in one cloud platform. I’m going to tell you exactly what that is. It’s pretty darn cool. And you’re going to want to hear it a little bit later in the show. All right, Geoff, we’re going to be talking about the topic of field CISOs.

What does this actually mean? Because this is bizarrely a hot topic in this space. Is this an advisory role or does it align more closely with sales engineering? Gadi Evron, who’s the CISO over at Knostic, he wondered on LinkedIn why are so many security peers moving into these roles as if they warrant the CISO title.

So, there’s a question about that. And who are these people? What does the role entail? Is it the same thing as a regular CISO? What’s your take on this?

[Geoff Belknap]  My take on this has evolved, but I’m still firmly in the camp of we shouldn’t be using the CISO component of the title unless the person has operational responsibility and accountability for security at their organization. Now, that being said, I think I personally only get kind of worked up when the title is sort of intentionally ambiguous about what the responsibilities of this person are.

But like many of my peers, I have a deep respect for a lot of people that are carrying various different titles. Some of them have CISO worked into them. And I think, honestly, this is something that our industry needs to work on a little bit. It does get confusing, but it is not an immediate flag that this person is incompetent or otherwise does not have something to share.

[David Spark]  That is a good point to make right there. We’re going to delve into it. And actually, the person that is joining us originally did this job. He claims he never actually had the title, but we’re going to delve more into that. Very excited to have him on. I got to meet him in person, actually, at a live show we did in Silicon Valley not too long ago.

Anyways, thrilled to have him on board. It’s none other than Bil Harmer, who is the operating partner and CISO over at Kraft Ventures. Bil, thank you so much for joining us.

[Bil Harmer] Thanks for having me. Pleasure to be here.

What are the complaints?

2:46.989

[David Spark]  Phil Venables, who’s the CISO over at Google, said, “I’m the CISO for Google Cloud with the consequent responsibilities and other roles as well. Not a field CISO, whatever that is. I have a team we call our Office of the CISO who are the former CISOs from multiple sectors and geographies who work with our customer CISOs, CROs, CEOs, boards, etc.

We don’t describe them as field CISOs.” Dmitriy Sokolovskiy of Semrush said, “Just like the CISO-in-residence should be a temporary role for a CISO, so is the field CISO. In this role, CISO continues to use their experience to translate real CISO customer needs into language that sales understand. But after several years, they should go back to being a CISO, not to lose their edge.” That is a take I have not heard before.

So, there’s a couple of things here. Phil Venables said, “I’m actually CISO for Google,” which they need, of course. But then there’s all these other offices, CISO roles, which are unique. And then this thought of field CISOs should be temporary, which I haven’t heard that take. What’s your take, Geoff?

[Geoff Belknap]  I think these are two really good points as part of this discourse here. I think Phil’s take on this is personally my favorite. I think it’s really important, especially for impactful organizations like Google’s, to have people that have depth and expertise in the space, that are available to customers or to just the industry in general to opine and give opinions, and to sort of attach their work to Phil’s office.

To indicate that these are not just field salespeople with a gussied-up title. They’re industry experts. I’m not sure about Dimitriy’s point. I have to think about that a little more. I feel like he’s taking more of the approach that CISOs are like doctors, and when you stop practicing or operating, you need some recurrent training.

Yes and no. I think you can absolutely be in one of these field marketing or sales-facing roles and have a lot of value to add, both to the sales process, but also to customers in general. I don’t know that it requires you have ever been a CISO or you need to go back to being a CISO to add a lot of value.

[David Spark]  That’s an interesting point. All right, Bil – Bil, who’s actually sat in this seat – first, give us a little background of the role you played and the title you had, and what’s your take on both of these comments?

[Bil Harmer]  Sure. I joined Zscaler 2015. Originally as a strategist was the title because they didn’t want CISO or any chief title being used anywhere except where truthfully it belonged. That evolved into CISOs America. So, I ran the Americas. I had internal CISO responsibilities, though they were pared down because we had several CISOs, and they were split up.

But the primary responsibility I had was to be in front of customers explaining why with credibility. And that was the difference. You could take a firewall out of your office, put it in the cloud and still function. They were running into a lot of issues with salespeople, even strong sales engineers, explaining that to a C-level, that you’re going to structurally and fundamentally change your architecture and not be worse for wear.

[David Spark] Did you have a previous CISO title prior to that role?

[Bil Harmer] I was the chief security officer for GoodData.

[David Spark] Okay. Go on.

[Bil Harmer] It just became one of those things where I could come in and say I’ve sat in the chair. I understand the budget issues. I understand the usability issues, the care and feeding issues, the maintenance issues, all the things that go with hardware, and here’s why I think it’s a good idea. But there are a lot of caveats to this, right?

Treating these salespeople with commission, sales engineers, that’s the difference. They run on what they sell of the product. I had no commission. I did not want a commission. I fought against commissions for me because I needed independence in what I said. There’s a lot of people out there that saw me speak on stage about this, where I would walk them into a Palo Alto shop and say, “Here’s a good sales rep.

Talk to them. You need Palo. You do not need Zscaler.”

[David Spark]  How did Zscaler feel about that? [Laughter]

[Bil Harmer]  There have been a couple of incidents where some salespeople have looked at me with complete horror, even in a sales meeting where I told the customer I didn’t want them as a customer because they were going to literally rebuild the same horrible setup they had with Zscaler, and they were going to get breached.

But they realized that my independence gained some trust with people because I was not selling Zscaler just for the sake of it. I always said, “Go try Palo, go try Cisco, try whatever you want. I know my product will be better and you’ll come back to me. But I see in your architecture, we don’t work for you.

You need a more on-prem tool or you need a tool we don’t have, and you’re better to go with a single platform.” And they realized that we got to sell this stuff honestly, right? If we keep just selling crap, then the CISO title is garbage anyways at that point, and you’re just an AE. And that sounds bad to AEs, and I apologize.

[David Spark]  Well, no, no. But give me just I want a last comment on Dimitriy’s thing about the field CISO should be a temporary role. What do you think about that suggestion?

[Bil Harmer]  It should, it really should. I do agree that when you end up in that consultative side where you’re not handling day-to-day responsibilities and there’s pressure and urgency that come with the day-to-day responsibilities, you do lose it. It is a much more comfortable, no direct reports, a lot of travel, speaking.

I loved it. It was fun. I had a great amount of fun doing it. But I did find internally, I was drawn back to becoming a CISO again, so that I would not lose the edge of what’s changing in the industry.

What do most people think it is, and what’s the reality?

8:33.640

[David Spark]  Sanjeev Pradhan of Capita said, “Field CISO is not a new role, nor is it a downgrade to the existing CISO role. The term more refers to an open-door policy in the security world. CISOs are no more confined within the four walls and make and participate in security strategic decisions.

They want to step out of their comfort zone and be on the field to understand the challenges faced by everyone in the security arena, present the organization in the open market, and address the queries of every partner, stakeholder, sales, etc., from a security side. The term field CISO looks to be a new door for the security world, which aims to bring more visibility, accountability, accessibility, responsibility, and proactiveness.” And Michael J.

Levin, deputy CISO over at 3M, said, “I’ve seen the position operate as a sales architecture position for individuals that have had previous CISO operational experience, no responsibility or accountability. Generally, it feels like a non-contract version of a virtual CISO. So, some pretty strong opinions on this one.

I’ll actually start with you, Bil. What do you take of this being that you did this?

[Bil Harmer]  Well, Michael, he’s got a point there. That concept that is now popping up all over the place of the VC. So, fractional CISOs that are being hired, it really was a lot like that. How could I come in and talk to another CISO or CIO around architectural transformation based on products I knew and things I had seen with other customers?

So, they were getting free consulting out of it. So, I think that’s really why they were accepting and willing to talk to me and work through those. With Sanjeev, I’m not really sure where he’s going with that simply because it just sounds like field… I think field CISO is getting abused now. I think you can hire people who have no CISO experience as field CISOs, which I think like anything CISO-esque, it’s just being used for security marketing.

I guess I’d be careful just in how we start to approach this or continue to use it.

[David Spark]  Okay. Geoff, your opinion, two very strong opinions here.

[Geoff Belknap]  I’m going to just call out sort of the elephant in the room, which is as accountability and certainly liability, both personal, criminal, and civil liability has increased and now is ever present for the CISO role, if I’m the CISO or deputy CISO for a public company, I am pretty nervous if there’s somebody else out in the field talking to customers that’s carrying some kind of CISO title if it’s unclear what they’re responsible for, if they are making claims on behalf of the organization that ultimately the SEC might find that I am liable for, that’s a real concern.

And I think that’s largely where my pushback on the use and overuse of this title comes from. I think if it’s very clear that this person is in an advisory role, a consultative role, a field marketing role, whatever that might be, if you’re a former CISO now doing consulting, like Duo used to do back in the before time, all that is great.

But today, now that things have evolved, there’s a real concern here about public statements muddying the waters about what are actual claims of your security program versus sort of just we’ll say industry thinking or thought leading.

[Bil Harmer]  Yeah, I think you’re absolutely right. I think, again, the CISO title being pushed around, if you look at some of these organizations that have field CISO orgs inside them, they do not report to the global CISO. They don’t even report into the security department or the CIO. They’re reporting into user transformation and experience, right?

So, it’s leaning heavily into that field marketing side, and I think that needs to be made very clear with all of the legal aspects that are coming out around the CISO title. In fact, it gets you into that whole question of are CISOs really CISOs based on where they report in the organization? And so many of them do not have a seat at the table or report to a CEO.

[Geoff Belknap]  Yeah, ultimately, I think that’s where this debate lies today. I mean, personally, before the liability issue came into play, is it annoying? Is there sort of an ego touch if somebody else is running around with the CISO title and they don’t really have the day-to-day operational responsibility?

Like, yeah, but who cares? But now, if the dividing line on liability are public statements made on behalf of your company, well, now it’s a real concern.

[David Spark]  All right. By the end of the show, you’re going to come up with new title names for this position or whatever this position is because we think it’s a little bit of a moving target. Stay tuned, everybody.

Sponsor – Cyera

13:22.058

[David Spark] Before I go on any further, I do want to mention our absolutely awesome sponsor, and that’s Cyera. Data is the largest and fastest growing security attack surface in the world. Every business is using data to collect insights and create new products, but they have to do so without placing the business at risk.

Solving data security starts with knowing your data. That is where Cyera’s data security platform can help. Discover your data attack surface, monitor, detect, and respond to data risk, and help govern data use.

Imagine if your organization’s OneDrive was compromised by ransomware. Would you know what data was in that OneDrive? Would this trigger a compliance issue? How much would it cost you to use outside counsel to determine materiality? Cyera delivers the insights you need. It all starts with their agentless approach to data discovery, which occurs across any environment, cloud, SaaS, even on-premises, making deployment fast and simple.

Cyera’s classification is based on their own LLM and has an accuracy of 95%. Companies like Paramount Pictures trust Cyera to discover their data, its sensitivity, and who has access to it. To learn more, visit cyera.io. Go check it out.

I didn’t think of these options.

14:54.510

[David Spark]  Larry Whiteside Jr., who’s the CISO over at RegScale, said, “It’s a way for an actual CISO to step out of an operational role and move into a consultative role and still give them a title commensurate with the experience in the role.” By the way, I think that sums it up exactly why that title exists.

He goes on to say, “The day-to-day operational CISO role is tiring and sometimes a stint in a consultative role that doesn’t diminish what they’ve already done in their career.” Ira Winkler of CYE said, “As a field CISO, my job isn’t sales. It is consultative to make sure requirements are met. Yes, this helps sales be more targeted, but it also helps clients make the best use of good tools, understanding their needs and concerns, etc.

It is more of a trusted partner role to serve as an advisor with specific regards to the products. But also in my case, as a friend they go to for other concerns as appropriate. So, when I hear field CISO, I hear someone who’s been a CISO, knows what it’s like to be a CISO, I’m here to help you out with implementation or any questions you may have.

What do you think, Bil?

[Bil Harmer]  That’s exactly it. I disagree that Ira says his job is not sales. Everybody’s job is sales, but from a different perspective, right? I do agree. It’s a consultative role. And I do like what Larry is bringing into it because for me, it was a good way to step out and get away from… I had been in audits for nine years, pentesting and all the other pieces that came with it, the deliverables.

And I could step out and I could approach it from a different side. I could better develop my skills, better develop how I helped my customers and take it on. And I think as I’m starting to think about the future of it, that CISO-in-residence is a hell of a good way to look at it because it denotes a separation.

You should have a CISO and then we have a CISO in residence. And then you’ve got that history and title. The tough part is going to be that we’re going to keep hiring people that have never been CISOs as field CISOs, real strong sales engineers, or people who’ve done some parts of it who have never been a CISO.

And they’re going to be getting that title, which is going to, I think, confuse the industry.

[David Spark]  Good point. All right, Geoff, your take on this. I mean, the way I’ve always understood it to be prior to we having this discussion, I didn’t realize there was so much confusion. I always felt it was just a consultative role for potential or existing customers.

[Geoff Belknap]  I mean, that’s really how I’ve always looked at it. I think my only pushback has been when the line is intentionally, either through a mission or through words, blurred between whether they’re really consultative or operational. I think it is a fantastic opportunity, and I have thought about it several times myself to kind of step out of an operational role and still have a really big impact in an organization.

I think there are so many security leaders that would love to be on the value creation side of the org that they’re in, instead of constantly feeling like they’re the guy just spending all the money or the person just spending all the money versus helping generate value for the organization.

And I’ll say to Bil’s point, if everybody’s in sales, I look at it as my job to make sure the organization is successful. I just look at it as sales and marketing and product engineering can’t be successful shipping an insecure product, right? So, I think about I want to help drive success that way.

Not just by helping a customer close a deal, but by making sure they’re engaging, and the business is providing something really safe, secure, and private. I think in this case, I think we as industry just need to agree, like, look, field CISOs probably need to have been a CISO prior. And we need to be really clear, whether through public statements or otherwise, that field CISOs are customer-facing people without operational responsibility.

And I think that would really just clear this all up so that nobody’s competing for the space that they’re responsible for. And we can recognize, acknowledge, and lift up the people doing the really, really hard, and important work in the field.

What’s the CISO’s role?

19:13.823

[David Spark]  Juliet Okafor of RevolutionCyber said, “The word CISO captures attention.” It’s definitely captured Geoff’s attention, and I’ll go on and say, “And implies knowledge, credibility, and trust.” Man, that sums it up right there. Way to go, Juliet. Let me go on. She says, “However, the role in and of itself should be held apart from the sale and marketing of software.

I know so many great CISOs and so many unqualified vCISOs, many who have never been CISOs and likely would fail at the role within an organization. It’s being used in ways that the title wasn’t meant to signify, which reduces its inherent value.” This speaks to a lot of what you were just saying, Geoff.

[Geoff Belknap]  It sure does. I think here’s the other side of it. And I think I worry less about this than maybe Juliet does, but I think they bring up a great point here, which is there’s a lot of people that desperately want to be CISO. And for the life of me, I can tell you from sitting on this side for many years, I don’t know why.

But look, by all means, you’re on your journey, but more power to you. And I think this is just the vCISO, the fractional CISO, the field CISO, the advisory CISO to a lesser extent. I think those are products of that initial pressure of everybody wanting to be the top leader in security. And that’s great, but I think we’re definitely at a point where we need to sort out that titles really matter now, along with liability, they mean specific things.

And I will just point out, there are no field CFOs, there are no field general counsels. Outside of technology, we don’t do this.

[David Spark]  You’re right. You don’t do it with any other C-level role.

[Geoff Belknap]  Yeah. And so I just find it very confusing.

[Bil Harmer]  Now they’re throwing CTOs out there now, field CTOs.

[Geoff Belknap] Well, I was going to name that.

[David Spark] All right, do those exist?

[Bil Harmer]  I have definitely seen it. Yep, yep.

[David Spark] Okay.

[Geoff Belknap]  And what it is, it’s exactly what Juliet is saying. You want to get the attention of your customer, and sometimes for very valid reason that they’re going to have trouble making a decision or building an architecture that’s really going to work, and it both drags out the sales cycle, but also drags out your customer has a problem they’re trying to solve.

And if they can’t make a decision, or they’re looking around in the industry, and they don’t have a network deep enough to help them find somebody that can give them some advice, and you’ve got somebody like Bil that has lots of experience that can give you input, you want to connect them. That makes a lot of sense.

And I think sometimes we’ve used that title to just go like, “Ah, this person has this experience.” And I think we should keep doing that, I just, I will come back to beating the dead horse here that like, we should probably use a different title, or I think that was a great suggestion of CISO-in-residence can happen in other places than just VCs.

It’s a great way to indicate, “Here’s somebody that’s got the experience, and they’re here to help you, and they’re not just here to push product.”

[David Spark] All right. Bil?

[Bil Harmer] I think honestly one of the things I’d love to see come out of this someday is a professional designation of CISO. Something where there’s credentials, life experience, the pieces that need to happen, that we can actually, if we’re going to be held liable for this, then we should have a professional designation that is commensurate with what we’re being looked at to do.

[David Spark] Because doctors and lawyers become liable, and they have…

[Bil Harmer] Exactly, exactly. CPAs, dentists, all of them. I’d love to see that happen because then we could start to cleave out some of the misuse of it. You would have to have the professional designation to be given and use the title. And then we’d stop having things like senior manager/CISO buried inside a company because somebody needs to have a CISO on staff somewhere.

[Geoff Belknap]  Maybe we should have resident CISO, attending CISO, department chair CISO. Just look to medicine. That’ll be fun.

[Bil Harmer]  So, I think at least when you do the CISO-in-residence, you can then be stating, I have a CISO. They’re the ones with the legal responsibility for what they say and how we run this company from a security perspective. But a CISO-in-residence has joined us to help our customers benefit from security knowledge.

And at least maybe that way you’ve got a chance of getting somewhere with it.

[David Spark]  All right. I don’t know if you know about this, Geoff, but a while back, one of our fans messaged me and asked me if I wanted to be a CISO and that I should be one. So, I asked Mike Johnson this question, do you think I would make a good CISO? I don’t know if you know what Mike said, but I’m going to ask you the same question, putting you on the spot.

And maybe you know what my own answer would be too.

[Geoff Belknap]  [Laughter] Well, I didn’t hear you say you wanted to be. I just heard…

[David Spark]  Geoff, do you think I would make a good CISO?

[Geoff Belknap]  I think you have many of the personality traits that it takes to be a phenomenal CISO.

[David Spark]  And that’s where he ends.

[Laughter]

[Bil Harmer] That’s where we’re just going to stop on that one.

[David Spark] And it stops right there. I want you to know that…

[Geoff Belknap] Well, wait, let me expand on that without the dramatic pause. I think a lot of being a CISO, once you sort of put aside understanding the technology and sort of getting depth in those areas, is understanding how a business works, how it makes money, and how it grows and thrives. And it’s just being a resilient person that can handle I like to call it chaos, but we’ll say a more dynamic, fast-paced environment where things are constantly changing.

There’s always stress. There’s always sort of stuff that happens at the last minute.

And I forget what movie it is, but they talk about it like the world is always a risk. The world is always in need of saving. There’s always another problem. And you have to be somebody that can bounce back through that and sort of survive all of this constant stress. And I know with your background in stand-up comedy, I think you know exactly what that’s like, where it’s a couple of minutes of terror every week, and then you keep going back for it because you just can’t get enough.

[David Spark]  I would not even slightly equate the two. Now, I want you to know that Mike Johnson was not nearly as polite as you. I just want to say the word “no” couldn’t have come out faster from his lips. It came out like a frigging bullet. “Shut up. No, no way would you be good.” [Laughter]

[Geoff Belknap]  I think you’d be great, David. I got to disagree.

[David Spark]  You’re very kind. I want to let everyone know, I would be horrible, I would be awful. You definitely do not want to hire me as a CISO. God, geez, scares the crap out of me. Now, it’s interesting you mentioned that. I used to work in the advertising industry, and I used to hear the word “emergency” multiple times a week.

I was about to say daily, but not daily, but definitely multiple times a week. Do you know when there’s an emergency in advertising? Never. That’s exactly the number of times it happens. Exactly never. But I heard it multiple times a week. That’s why I got out of the industry because I was tired of listening to that.

There’s never an emergency in advertising, ever.

[Geoff Belknap]  I’m still waiting to find out if I’m any good at this. So, at some point, someone will let me know.

[David Spark]  At some point, someone will say, “Hey, Geoff, you’re pretty good at this.” Let me ask you, do you get your paycheck every month?

[Geoff Belknap]  Money ends up in my bank account, so at least passable.

[David Spark] So, someone believes you’re doing a good job.

[Geoff Belknap] I don’t know if I would go that far, but someone tolerates me. That I would agree on.

Closing

26:44.539

[David Spark]  All right. Let’s wrap this sucker up. Bil, this is the point of the show where I ask you which quote was your favorite and why? So, looking over the quotes, tell me which quote was your favorite and why do you like it so much?

[Bil Harmer]  I think Dimitriy’s. I liked his concept that it was a temporary role, and that it’s sort of an in-residence type role that should be taken on.

[David Spark]  I like that too. It definitely threw me. All right, Geoff.

[Geoff Belknap]  I’m going to cop out here and pick Phil’s, where Phil talks about the fact that he is the CISO for Google Cloud, and he’s got all the subsequent responsibility and accountability. And their version of building a field CISO organization is building the office of the CISO and leaning into people that are part of that organization, but not really representing themselves as CISOs in fact.

[David Spark]  Excellent. Well, that wraps up our show. Thank you so much, Geoff. Thank you very much, Bil. That was Bil Harmer, who is not only the CISO over at Craft Ventures, but also the operating partner as well. He holds two titles over there, and neither one is more diminished because the other one is held.

I do want to mention our absolutely spectacular sponsor, and that is Cyera, holistic data security in one cloud platform. You should be checking out their website, cyera.io. Geoff, thank you as always. Bil, let me ask you a question. Are you hiring over at Craft Ventures? Are any of your portfolio companies hiring?

What’s going on?

[Bil Harmer]  Portfolio companies are always hiring. You can actually go to craftventures.com and look up the jobs that we are helping our portfolio companies fill.

[David Spark] So, you amass them all in one space. Ah.

[Bil Harmer] Makes it easy, and we have a full talent team, six people that help in very specific verticals for hiring.

[David Spark]  Ah, excellent. Craftventures.com?

[Bil Harmer]  Craftventures.com.

[David Spark]  Excellent. Thank you very much and thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.

[Voiceover]  We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.

If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.

David Spark
David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.